On Thu 28/Nov/2024 18:11:50 +0100 Daniel K. wrote:
On 11/27/24 18:18, Alessandro Vesely wrote:
On Wed 27/Nov/2024 02:41:03 +0100 Martin Thomson via Datatracker wrote:
[...]
S3 defines a validation process that involves querying DNS at "<provider
name>._report._dmarc.<target name>". This will fail when this string is too
long, which is pretty easy to manage for an attacker. That's an unrecoverable
error, but the procedure says nothing about that error. Does that make certain
reporting architectures impossible for some providers?
The only change is adding a consideration that domains whose name length is
near to the maximum domain name length limit cannot use external services,
however short the name of the external provider. They must create an ad-hoc
mailbox that forwards to the external service.
I think he means that the verification process does not explicitly say
anything about the possibility that the length of the constructed domain
name of the third party;
author domain "._report._dmarc." report receiver domain
may exceed the DNS max length limit for a domain name, and what to do in
that case.
Obviously the current step 4 will fail because of the too long name, but
maybe we can be explicit about this possibility and the workaround.
Add a new step 4, and renumber the later steps?
4. If the length of the constructed name exceed DNS limits,
a positive determination of the external reporting
relationship cannot be made; stop.
s/ stop/ therefore no report should be sent to such address/.
And also add a final paragraph to the end of the same section, maybe
something like this:
If the Author Domain is so long that external verification
fails in step 4, above, you will not be able to use the
third party Report Receiver. As a workaround, you can set
up a local mailbox that forwards to the third party Report
Receiver.
I'd say /might fail/. Not sure every library has a hard limit of 254 chars.
EDNS lets you send longer queries. I'd guess at limit cases some resolver can
fail while some other can succeed. Any better info, anyone?
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
